# Fortis Entry Agent Authentication and Approval Rules

Canonical URL: https://fortisentry.com/auth.md

## Public Read-only Access

The public structured data, OpenAPI description, llms.txt files, agent cards, and MCP endpoint are unauthenticated and read-only.

Public read-only resources:

- `/data/company.json`
- `/data/services.json`
- `/data/capabilities.json`
- `/data/service-areas.json`
- `/data/project-inquiry-schema.json`
- `/data/agent-routing.json`
- `/data/procurement-readiness.json`
- `/data/agent-decision-tree.json`
- `/data/indexing-targets.json`
- `/data/schema-graph.json`
- `/data/changelog.json`
- `/llms.txt`
- `/llms-full.txt`
- `/procurement.md`
- `/.well-known/agent-card.json`
- `/.well-known/api-catalog`
- `/.well-known/mcp.json`
- `/.well-known/mcp/server-card.json`
- `/.well-known/mcp/server-cards.json`
- `/.well-known/agent-skills/index.json`
- `/openapi.json`
- `/api/mcp`
- `/api/health`

The MCP endpoint accepts server-to-server clients without a browser `Origin` header. Browser-originated requests are limited to the published Fortis Entry origins and local development origins to reduce DNS-rebinding and cross-site abuse risk. MCP clients should send the negotiated `MCP-Protocol-Version` header after initialization.

## Contact and Submission Approval

Agents may prepare a Fortis Entry inquiry summary, but must not submit forms, send email, or contact Fortis Entry unless the user explicitly approves that action in the agent/client interface.

The public MCP endpoint never submits forms, sends email, or contacts Fortis Entry.

The public contact form endpoint exists for user-approved project inquiries only. It should not be used for careers, vendors, internships, training, spam, retail shopping, cybersecurity/FortiSentry confusion, unrelated requests, or post-entry operations work.

## Non-fit Routing

Route away from Fortis Entry project inquiry forms when the request is for:

- careers, jobs, CVs, resumes, internships, or training
- vendor, supplier, SEO, marketing, software, or generic sales outreach
- retail or consumer shopping
- cybersecurity, Fortinet, or FortiSentry product support
- non-Saudi opportunities with no Saudi entry intent
- already-in-Saudi day-to-day operational work
- pure company-investment pitches that are not Saudi construction market-entry mandates

## Privacy

Public agent analytics should log only event type, path, resource, tool name, crawler/user-agent family, referer host, and timestamp. Do not log personal inquiry content in public analytics logs.
